US7047562B2 - Conditioning of the execution of an executable program upon satisfaction of criteria - Google Patents
Conditioning of the execution of an executable program upon satisfaction of criteria Download PDFInfo
- Publication number
- US7047562B2 US7047562B2 US09/886,302 US88630201A US7047562B2 US 7047562 B2 US7047562 B2 US 7047562B2 US 88630201 A US88630201 A US 88630201A US 7047562 B2 US7047562 B2 US 7047562B2
- Authority
- US
- United States
- Prior art keywords
- program
- executable application
- executable
- conditions
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- This invention relates to arrangements for computer security, and more particularly for preventing the use of an executable program until some specific predetermined conditions are met.
- Particular application of the invention is made in security of an intranet or LAN in the presence of access by remote clients using virtual private network connections, and in public-key encryption.
- LANs local area networks
- Each LAN could be considered to be a closed or private intercommunication network to which the public had no access, so long as the workstations were kept in protected or secure locations and the interconnection lines or cables were not publicly accessible.
- each individual user or workstation was in communication with a server. If one of the workstations became infected with a virus, that virus, such as the “Jerusalem” virus, could infect the login.exe portion of server, which in turn would infect other workstations attempting to log onto the server after it became infected.
- a partial solution to the problem of viruses was to provide each workstation with its own antivirus program.
- the script file would execute each time a workstation attempted to log onto the server. Once the existence of a virus was established by the script file of the server, the infected workstation could be taken off-line or denied access to the server, and the infected login.exe program on the server was automatically erased and replaced by a stored, clean version. Operation could then continue as before, with the uninfected workstations accessing the server. If the infected workstation again attempted to log on, it would again be cut off. Eventually, maintenance personnel would examine the infected workstation and disinfect it.
- the login process of the server would, when a workstation attempted to log onto the server, use a script file to call or invoke the antivirus component or program of the workstation, thereby running the antivirus program in the workstation.
- the server would continue the logon of that particular workstation only if the workstation antivirus program returned an error level 0 signal, indicating that the workstation was clean or uninfected.
- viruses are generally spread by email, which continues to have a client-server structure, notwithstanding the underlying peer-to-peer structure of the Internet itself.
- the workstation has become the “server” as to the virus, and can spread the virus to all its peers, mostly by email, but also by network shares, such as network directories.
- gateways In order to expand the utility of LANs when the Internet became available, one or more “gateways” were connected to each LAN or intranet, which resulted in communications between the closed or private intranet and the public Internet.
- the server which provided the gateway received communications from the Internet in only a few protocols, so it was practical to provide antivirus programs in the gateway servers to keep the intranet “clean” or to protect it from viruses. It continued to be advisable to maintain virus protection programs operating at each workstation or client of an intranet, to take care of any viruses incidentally introduced by way of infected diskettes.
- the limited number of gateways or entryways between the Internet and each intranet allowed reasonable virus control, because, with a limited number of gateways, their antivirus programming could be changed in a relatively short time to adapt to a spreading virus in the Internet.
- VPN virtual private network
- pathways or “tunnels” through the Internet have become available which provide a “direct” communication path or link between a remote client workstation (remote as to the intranet to which it connects) and the intranet providing such VPN access.
- the tunnel is a pathway through the Internet which is protected by encryption, and so is effectively private, even though the tunnel passes through a public cyberspace.
- the intranet still requires a remote access server at a gateway in order to encrypt and decrypt information traversing a VPN, the large number of possible data formats or protocols which might be communicated over such a path makes it difficult or impossible to provide proper virus protection by use of currently available remote access servers.
- VPNs for use with intranets
- problems which include the fact that the remote client workstation is physically removed from or outside the physically protected space associated with the intranet, and may therefore be vulnerable to use by other than the authorized user, but this problem can largely be controlled by requiring passwords to allow use of the remote workstation only by authorized personnel.
- Such access does not have the benefit of filtration by a gateway server as it would if the workstation were inside an intranet, which gives rise to the possibility that the remote workstation might become infected with a virus if its antivirus program happens to be turned off or out-of-date. This would be of little concern, except that such a remote client workstation is treated as a part of the “clean” intranet when it communicates therewith by way of a tunnel.
- a virus against which the antivirus protection of some, or all, of the workstations of an intranet is ineffective could spread within the intranet, even if the gateways provided between the Internet and the intranet were capable of handling the virus. Such a situation could result in the intranet becoming unusable until a large number or all of the workstations were disinfected, which could be a very long time for large intranets.
- the policy enforcement agent is an executable program including a header, an execution portion or program, and data.
- the PEA must be satisfied (the policy must be fulfilled) before the underlying program is executed. Separation of the PEA from the underlying program is rendered difficult by “encapsulating” the underlying program within the PEA. Encapsulation is accomplished by attaching the underlying module to a data location of the PEA, and amending the header of the PEA to conform to the resulting combined program. The combined program is substituted for the original underlying program. The underlying program remains unchanged, except for its attachment to the PEA.
- the underlying executable program is simply appended to the PEA.
- the PEA executes and imposes its conditions. If the conditions are met, the underlying program is executed.
- the underlying program when executed, generates a VPN tunnel, and the conditions imposed by the PEA before the underlying program can execute include the presence of an active antivirus program and an active personal firewall.
- a security method for allowing use of a program includes the step of procuring a software executable policy enforcement agent which, when invoked, imposes one or more conditions on successful execution or termination, and which, when successfully executed or terminated, invokes execution of an executable existing program.
- a preexisting or underlying executable program is procured, the use or execution of which is to be made subject to the conditions.
- the preexisting or underlying program is encapsulated with the policy enforcement agent without changing the preexisting program, to thereby produce a combined program.
- the combined program is substituted for the preexisting program, so that the policy enforcement agent executes instead of the preexisting program when the preexisting program is invoked.
- the preexisting program When execution of the preexisting program is desired, the preexisting program is invoked, whereby, or as a result of which, the policy enforcement agent portion of the combined program executes. The conditions imposed by the control module are then satisfied, whereby the preexisting program executes. Of course, if the conditions are not satisfied, execution of the policy enforcement agent terminates unsuccessfully, and the underlying executable program is not invoked.
- the substituting step includes the step of amending the header of the policy enforcement agent portion of the combined program to match the characteristics of the combined program.
- policy enforcement in relation to a preexisting executable program includes the step of generating a software control element which is identifiable to a host operating system as an executable program and which includes an execution component for executing the preexisting executable program, and which also contains a set of conditions which must be met in order to invoke the execution program.
- the software control element is combined with the preexisting executable program, to form a combined program in which the header is that of the software control element.
- the combined program is substituted for the preexisting executable program.
- execution of the preexisting executable program is desired, execution of the combined program is commanded, to thereby execute the software control element, and satisfying the conditions so that the preexisting executable program executes.
- the conditions include current execution or running of an antivirus program. Another condition may be the operation of a personal firewall.
- the preexisting executable program when executed, generates a VPN tunnel.
- the underlying executable program relates to public-key encryption, and the policy requires the existence of an acceptable digital certificate.
- FIG. 1 is a simplified block diagram illustrating the environment in which one aspect of the invention is used
- FIG. 2 is a simplified version of FIG. 1 , illustrating a connection which might cause a remote workstation to become infected with a virus;
- FIG. 3 is a simplified representation of the structure of an executable program for one kind of operating system
- FIG. 4 is a simplified representation of the structure of an executable program such as that of FIG. 3 associated or “encapsulated with” an executable policy enforcement agent;
- FIG. 5 a is a simplified flow chart or flow diagram illustrating the logic of the executable policy enforcement agent
- FIG. 5 b is a simplified flow chart or flow diagram illustrating an alternative form for a portion of the flow of FIG. 5 a.
- an intranet 10 includes a plurality of workstations or clients, some of which are designated as 12 .
- the client workstations 12 may or may not be at a common physical location.
- one large intranet has more than 100,000 client workstations distributed over 160 or more individual controlled sites. Such sites are physically protected, requiring personal identification for access. In many cases, access to the workstations themselves are protected only by passwords, to limit their use to authorized individuals. Access to many functions of the intranet may be available from a workstation without an additional password. However, access to critical or sensitive information on the intranet is limited to those with the proper personal identification and password.
- the intranet 10 includes workstations 12 which are connected to each other by paths, one of which is designated as 13 , which are private, in that they are not readily accessible to unauthorized persons.
- Gateway 14 may include one or more servers 14 s, which interface with the external Internet 20 and, by way of one or more paths 21 , with other public communication channels.
- the gateway servers 14 s provide various services, including virus protection, for communications which pass therethrough.
- a set 16 of various workstations lies external to the intranet 10 .
- Some of these workstations are designated as 16 a and 16 b.
- Workstation 16 a is illustrated as being connected, through the Internet, by a virtual private network (VPN) path 18 , and by way of a remote access server (RAS) 14 ras, to the interior of the intranet 10 .
- VPN virtual private network
- RAS remote access server
- the VPN path 18 bypasses portions of gateway 14 , and communicates with the inside of the intranet 10 more or less directly.
- Setting up the VPN path 18 requires user identification by the operator of remote workstation 16 a to the remote access server, but no workstation validation is required. Consequently, as to the external workstation 16 a communicating by way of VPN path 18 , no virus protection is available to the intranet if the workstation 16 should be infected.
- FIG. 2 the system of FIG. 1 is reduced or simplified to a remote client workstation 16 a connected on a virtual private network 18 through the Internet 20 to the remote access server portion 14 ras of gateway 14 , and through the remote access server portion 14 ras to the intranet 10 .
- the client workstation 16 will be functionally connected to one or more of the workstations within the intranet 10 , but it may simply be “sitting” as though it were another client workstation within the intranet, waiting for any messages which might be addressed thereto.
- the problem with this arrangement is that the VPN authentication mechanism associated with the remote access server 14 ras authenticates the user of the remote workstation, but does not verify that the remote workstation itself is safe to connect to. If the remote user 16 of FIG. 2 accesses his personal email at an uncontrolled external site 22 , the machine may become infected, and the infection may be passed to the intranet.
- the remote workstation 16 a is required to complete execution of a policy enforcement module or policy enforcement agent (PEA) before the VPN is set up.
- PPA policy enforcement agent
- the policy enforcement agent can enforce any desired policy, but in the described situation would involve verifying that the selected antivirus program is running, and possibly checking the antivirus program version, to assure that the proper version is available. In addition, it may be desirable to verify that a personal firewall is in operation on the remote client workstation, to prevent unauthorized connections thereto.
- a “control module” software program is generated, and the policies established by this control module must be executed before the virtual private network client program is permitted to execute.
- the control module must be satisfied that at least the antivirus program in the remote client workstation 16 a is active in order for execution of the VPN-tunnel-forming software to execute.
- the client program is “encapsulated” within the control module.
- FIG. 3 is a representation of the structure of a preexisting Windows-operating-system program executable VPN client program, which is the client program to be controlled in this case.
- Windows PE executables are generally used for VPN format programs, although there is no reason that other operating systems and formats could not be used.
- the VPN client program of FIG. 3 must execute in order to generate the virtual private network path between the client and the intranet.
- the first portion of the program 300 is a header 310 , which identifies to the host operating system the locations of the various portions of the program in the following data stream, and also includes information as to an offset at which to begin execution.
- Portion 312 is the executable program, and data portion 314 , stack portion 316 , and debug symbol table 318 together constitute data for use by the operating program 312 .
- Execution of the program occurs when it is loaded into memory, and the operating system reads the header to determine the locations of the data elements and the offset, memory is allocated to the various data elements, and execution of the executable portion begins.
- executable program section 312 of program 300 of FIG. 3 must execute.
- the executable VPN client program 300 of FIG. 3 is combined with another program to control its execution, or more properly to impose conditions precedent to its execution.
- a software control module 410 is combined with or precedes the “preexisting” executable VPN client program 300 to form a combined program 400 .
- the control module 410 includes a header 412 , an executable program 414 , and various data portions designated together as 416 .
- VPN client program 300 may be viewed as being a further data portion of the combined program 400 including the control module 410 . That is to say, that the VPN client program occupies a location identified in the header of combined program 400 as a data portion.
- program 300 is “invisible” as an executable program.
- the header 412 identification is modified to include the identification of the VPN client program 300 , including file size; failure to update the header may result in identification of the combined program as a virus by some antivirus programs.
- the combined program 400 is then saved, replacing the original VPN client program 300 .
- FIG. 5 a is a simplified flow graph or flow chart illustrating the operation of the control module program 414 of FIG. 4 .
- the logic begins at a START block 510 and flows to a further block 512 , which represents the reading of the policy.
- the policy is to verify that the antivirus program is running on the remote client workstation, and also that the client local firewall process is executing.
- the logic flows to a decision block 514 , which determines if the antivirus program is executing. If the antivirus program is not executing, the logic leaves decision block 514 by the NO output, and proceeds to a block 516 , which represents the sending of a message to the client workstation monitor that the VPN cannot be formed, and possibly the reason therefor.
- block 516 may also cause a message to be sent to the remote access server indicating that the policy check has failed, and possibly for what reason. From block 516 , the logic flows to an END block 518 , representing a failure and termination of the VPN formation.
- decision block 514 finds that the antivirus program is running, the logic leaves the decision block by the YES output, and proceeds to a further decision block 520 .
- Decision block 520 determines if the local firewall is executing. If the local firewall is not executing, the logic leaves decision block 520 by the NO output, and proceeds by way of block 516 to the END block 518 , to terminate VPN formation. If block 520 finds that the firewall is in place and executing, the logic proceeds by way of the YES output to a block 522 .
- Block 522 represents the presentation of the remote client VPN tunnel forming program 300 to the operating system of the remote workstation 16 a for execution. Thus, the client VPN tunnel forming program 300 executes when the control program conditions are met, to form the VPN path.
- FIG. 5 b represents a portion of the arrangement of FIG. 5 a, modified to illustrate one possible alternative logic.
- decision block 520 once decision block 520 has determined that the local firewall is executing, and that the VPN is allowed to be formed, the logic proceeds to a block 524 , which represents a handshaking between the local client and the remote VPN server, and transmission of a message to the remote VPN server that the control policy has been executed, and that the VPN which is about to be set up is authorized. From block 524 of FIG. 5 b, the logic then flows to block 522 , to present the VPN program 300 to the operating system for execution as described in conjunction with FIG. 5 a.
- the encapsulated program (program 300 of FIG. 4 ) is extracted by the operating system of the remote workstation 16 a from the combined program 400 , and saved or stored as a file on any medium from which the operating system can execute, as for example a disk. Execution is then spawned as a subprocess of the control module. The reason for using such a spawning is so that control returns to the control module 410 after execution, which then removes or deletes the extracted file, so that it is not available for a later launch of a VPN tunnel without running the policy enforcement agent. Such a type of execution is simple and straightforward.
- Another, possibly more elegant method for executing the client VPN-tunnel-forming program 300 is manipulate the registers and operating system so that the image of the encapsulated program located in memory is recognized as an executable module and executed, and control is thereby transferred to the executable module 300 pursuant to its header information. Control still returns to the control module after execution.
- This method has the advantage of not requiring erasure of the extracted program 300 , since there is no file be captured and reused to form the VPN tunnel.
- the VPN path is not formed by running the VPN tunnel forming program 300 unless the control protocol is satisfied, and the remote client workstation 16 a cannot connect to the intranet 10 unless the conditions are satisfied. If the conditions include antivirus operation or firewall execution, the intranet is protected to the extent that such programs can provide protection. It should particularly be noted that the client VPN software has not been modified at all, but it has merely been made an adjunct to another program.
- Another embodiment of the invention involves Public Key enablement of a legacy application or program created prior to availability of a public key infrastructure (PKI).
- PKI-enabled application is able to accept a digital certificate in lieu of a normal username/password. Instead of a login, both user identification and authentication is contained in a file, which is the digital certificate.
- Application of the invention to this situation involves encapsulation of the legacy application in a policy enforcement agent. When the legacy application (or the policy enforcement agent) is invoked, the policy enforcement agent accepts, and then decodes/verifies the certificate. If the certificate is valid and the identity expressed by the certificate is authorized for use, the policy enforcement agent passes control to the legacy application together with authorization understandable to the legacy application.
- the operating system has been described as Windows, but could be any common operating system.
- the underlying executable application has been described as simply being appended as data to the software control module, but the executable application may be placed at any desired data location within the software control module, and it may even be possible to break the executable application into different portions, separated from each other by other data portions of the software control module.
- a security method for allowing (or preventing) use of an executable program ( 300 ) includes the step of creating or procuring a software executable policy control or policy enforcement agent ( 410 ) which, when invoked, imposes one or more conditions ( 514 , 520 ) on successful operation, and which, when successfully operated, invokes execution ( 522 ) of an executable application or preexisting program ( 300 ).
- the preexisting or underlying program ( 300 ) is “encapsulated with” or “encapsulated within” the policy enforcement agent ( 410 ) without changing the preexisting program ( 300 ), to thereby produce a combined program ( 400 ).
- the combined program ( 400 ) is substituted for the preexisting program ( 300 ), so that the policy enforcement agent executes instead of the preexisting program ( 300 ) when the preexisting program ( 300 ) is invoked.
- execution of the preexisting program ( 300 ) is desired, the preexisting program ( 300 ) is invoked, whereby the policy enforcement agent portion of the combined program ( 400 ) executes.
- the conditions ( 514 , 520 ) of the control module are then satisfied, whereby the preexisting program ( 300 ) executes.
- the substituting step includes the step of amending the header ( 412 ) of the policy enforcement agent portion ( 410 ) of the combined program ( 400 ) to match the characteristics of the combined program ( 400 ).
- policy enforcement in relation to a preexisting executable program includes the step of generating a software control element ( 410 ) which is identifiable to a host operating system (such as, for example, Windows) as an executable program and which includes an execution component ( 522 ) for executing the preexisting executable program ( 300 ), and which also contains a set of conditions ( 514 , 520 ) which must be met in order to invoke the execution component ( 522 ).
- the software control element ( 410 ) is combined with the preexisting executable program ( 300 ), to form a combined program ( 400 ) in which the header ( 412 ) is that of the software control element ( 410 ).
- the combined program ( 400 ) is substituted for the preexisting executable program ( 300 ).
- execution of the combined program ( 400 ) is commanded, to thereby execute the software control element ( 412 ). Satisfying the conditions ( 514 , 520 ) results in execution of the preexisting executable program ( 300 ).
- the conditions ( 514 , 520 ) include current execution of an antivirus program.
- the preexisting executable program ( 300 ) when executed, generates a VPN tunnel ( 18 ).
- the executable underlying application or program is one which is intended to be conditioned on receipt of authorization information in some format other than that of a conventional X.509 based digital certificate, or whatever form of digital certificate may currently be in widespread use.
- the policy enforcement agent encapsulates the executable application or program to form a combined program, and the program portion of the policy enforcement agent portion of the combined program accepts the current style of digital certificate (as, for example, the X.509-based certificate), reads and authenticates the certificate, and, if the certificate is valid, turns control over to the executable application. If needed, the policy control module also translates the authentication information into a form understandable to the executable application.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims (8)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/886,302 US7047562B2 (en) | 2001-06-21 | 2001-06-21 | Conditioning of the execution of an executable program upon satisfaction of criteria |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/886,302 US7047562B2 (en) | 2001-06-21 | 2001-06-21 | Conditioning of the execution of an executable program upon satisfaction of criteria |
Publications (2)
Publication Number | Publication Date |
---|---|
US20020199115A1 US20020199115A1 (en) | 2002-12-26 |
US7047562B2 true US7047562B2 (en) | 2006-05-16 |
Family
ID=25388813
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/886,302 Expired - Lifetime US7047562B2 (en) | 2001-06-21 | 2001-06-21 | Conditioning of the execution of an executable program upon satisfaction of criteria |
Country Status (1)
Country | Link |
---|---|
US (1) | US7047562B2 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070056020A1 (en) * | 2005-09-07 | 2007-03-08 | Internet Security Systems, Inc. | Automated deployment of protection agents to devices connected to a distributed computer network |
US7310730B1 (en) * | 2003-05-27 | 2007-12-18 | Cisco Technology, Inc. | Method and apparatus for communicating an encrypted broadcast to virtual private network receivers |
US20080282349A1 (en) * | 2004-04-26 | 2008-11-13 | Yuji Koui | Computer Virus Identifying Information Extraction System, Computer Virus Identifying Information Extraction Method, and Computer Virus Identifying Information Extraction Program |
US20090007219A1 (en) * | 2007-06-28 | 2009-01-01 | Microsoft Corporation | Determining a merged security policy for a computer system |
US20090228973A1 (en) * | 2008-03-06 | 2009-09-10 | Chendil Kumar | Techniques for automatic discovery and update of client environmental information in a virtual private network (vpn) |
US8209740B1 (en) * | 2011-06-28 | 2012-06-26 | Kaspersky Lab Zao | System and method for controlling access to network resources |
US20130074160A1 (en) * | 2011-09-15 | 2013-03-21 | Fujitsu Limited | Method of controlling information processing system, computer-readable recording medium storing program for controlling apparatus |
AU2012304788B2 (en) * | 2011-09-07 | 2016-12-08 | Microsoft Technology Licensing, Llc | Content handling for applications |
US9710641B2 (en) | 2014-12-12 | 2017-07-18 | Arp-Ip Llc | System and method for replacing common identifying data |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030041268A1 (en) * | 2000-10-18 | 2003-02-27 | Noriaki Hashimoto | Method and system for preventing unauthorized access to the internet |
US7603452B1 (en) * | 2002-03-26 | 2009-10-13 | Symantec Corporation | Networked computer environment assurance system and method |
US7188109B1 (en) * | 2002-07-30 | 2007-03-06 | Unisys Corporation | Cool ICE utilization of digital certificates |
US20050015606A1 (en) * | 2003-07-17 | 2005-01-20 | Blamires Colin John | Malware scanning using a boot with a non-installed operating system and download of malware detection files |
US7386884B2 (en) * | 2004-04-19 | 2008-06-10 | Aladdin Knowledge Systems Ltd. | Method for preventing activation of malicious objects |
US20060156397A1 (en) * | 2005-01-13 | 2006-07-13 | Steven Dai | A New Anti-spy method without using scan |
US7441094B2 (en) * | 2005-07-05 | 2008-10-21 | Microsoft Corporation | Memory management configuration |
US8042184B1 (en) * | 2006-10-18 | 2011-10-18 | Kaspersky Lab, Zao | Rapid analysis of data stream for malware presence |
US8850547B1 (en) | 2007-03-14 | 2014-09-30 | Volcano Corporation | Remote access service inspector |
GB2469308B (en) * | 2009-04-08 | 2014-02-19 | F Secure Oyj | Disinfecting a file system |
US10511630B1 (en) | 2010-12-10 | 2019-12-17 | CellSec, Inc. | Dividing a data processing device into separate security domains |
US8892875B1 (en) * | 2011-07-29 | 2014-11-18 | Trend Micro Incorporated | Methods and apparatus for controlling access to encrypted computer files |
US9294508B2 (en) * | 2012-08-02 | 2016-03-22 | Cellsec Inc. | Automated multi-level federation and enforcement of information management policies in a device network |
US9344422B2 (en) | 2013-03-15 | 2016-05-17 | Oracle International Corporation | Method to modify android application life cycle to control its execution in a containerized workspace environment |
JP6480908B2 (en) * | 2013-03-15 | 2019-03-13 | オラクル・インターナショナル・コーポレイション | Protected communication between computers between applications |
US9646309B2 (en) | 2014-04-04 | 2017-05-09 | Mobilespaces | Method for authentication and assuring compliance of devices accessing external services |
EP3198418B1 (en) | 2014-09-24 | 2020-04-22 | Oracle International Corporation | Method to modify android application life cycle to control its execution in a containerized workspace environment |
US20170329966A1 (en) * | 2016-05-13 | 2017-11-16 | Qualcomm Incorporated | Electronic device based security management |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5361359A (en) * | 1992-08-31 | 1994-11-01 | Trusted Information Systems, Inc. | System and method for controlling the use of a computer |
US6154839A (en) * | 1998-04-23 | 2000-11-28 | Vpnet Technologies, Inc. | Translating packet addresses based upon a user identifier |
US6173399B1 (en) * | 1997-06-12 | 2001-01-09 | Vpnet Technologies, Inc. | Apparatus for implementing virtual private networks |
US6292569B1 (en) * | 1996-08-12 | 2001-09-18 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
US20010025346A1 (en) * | 2000-01-20 | 2001-09-27 | Makoto Kayashima | Security management system and security managing method |
US20020029350A1 (en) * | 2000-02-11 | 2002-03-07 | Cooper Robin Ross | Web based human services conferencing network |
US6367012B1 (en) * | 1996-12-06 | 2002-04-02 | Microsoft Corporation | Embedding certifications in executable files for network transmission |
US20020099952A1 (en) * | 2000-07-24 | 2002-07-25 | Lambert John J. | Policies for secure software execution |
US20020120776A1 (en) * | 2000-12-23 | 2002-08-29 | Eggebraaten Thomas John | Computer system, method, and business method for automating business-to-business communications |
US20020174358A1 (en) * | 2001-05-15 | 2002-11-21 | Wolff Daniel Joseph | Event reporting between a reporting computer and a receiving computer |
US6505343B1 (en) * | 1998-12-31 | 2003-01-07 | Intel Corporation | Document/view application development architecture applied to ActiveX technology for web based application delivery |
US6584508B1 (en) * | 1999-07-13 | 2003-06-24 | Networks Associates Technology, Inc. | Advanced data guard having independently wrapped components |
US6658571B1 (en) * | 1999-02-09 | 2003-12-02 | Secure Computing Corporation | Security framework for dynamically wrapping software applications executing in a computing system |
US6684329B1 (en) * | 1999-07-13 | 2004-01-27 | Networks Associates Technology, Inc. | System and method for increasing the resiliency of firewall systems |
-
2001
- 2001-06-21 US US09/886,302 patent/US7047562B2/en not_active Expired - Lifetime
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5361359A (en) * | 1992-08-31 | 1994-11-01 | Trusted Information Systems, Inc. | System and method for controlling the use of a computer |
US6292569B1 (en) * | 1996-08-12 | 2001-09-18 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
US6367012B1 (en) * | 1996-12-06 | 2002-04-02 | Microsoft Corporation | Embedding certifications in executable files for network transmission |
US6173399B1 (en) * | 1997-06-12 | 2001-01-09 | Vpnet Technologies, Inc. | Apparatus for implementing virtual private networks |
US6154839A (en) * | 1998-04-23 | 2000-11-28 | Vpnet Technologies, Inc. | Translating packet addresses based upon a user identifier |
US6505343B1 (en) * | 1998-12-31 | 2003-01-07 | Intel Corporation | Document/view application development architecture applied to ActiveX technology for web based application delivery |
US6658571B1 (en) * | 1999-02-09 | 2003-12-02 | Secure Computing Corporation | Security framework for dynamically wrapping software applications executing in a computing system |
US6584508B1 (en) * | 1999-07-13 | 2003-06-24 | Networks Associates Technology, Inc. | Advanced data guard having independently wrapped components |
US6684329B1 (en) * | 1999-07-13 | 2004-01-27 | Networks Associates Technology, Inc. | System and method for increasing the resiliency of firewall systems |
US20010025346A1 (en) * | 2000-01-20 | 2001-09-27 | Makoto Kayashima | Security management system and security managing method |
US20020029350A1 (en) * | 2000-02-11 | 2002-03-07 | Cooper Robin Ross | Web based human services conferencing network |
US20020099952A1 (en) * | 2000-07-24 | 2002-07-25 | Lambert John J. | Policies for secure software execution |
US20020120776A1 (en) * | 2000-12-23 | 2002-08-29 | Eggebraaten Thomas John | Computer system, method, and business method for automating business-to-business communications |
US20020174358A1 (en) * | 2001-05-15 | 2002-11-21 | Wolff Daniel Joseph | Event reporting between a reporting computer and a receiving computer |
Non-Patent Citations (1)
Title |
---|
Fraser et al., Hardening COTS Software with Generic Software Wrappers, May 9-12, 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 2-16. * |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7310730B1 (en) * | 2003-05-27 | 2007-12-18 | Cisco Technology, Inc. | Method and apparatus for communicating an encrypted broadcast to virtual private network receivers |
US20080282349A1 (en) * | 2004-04-26 | 2008-11-13 | Yuji Koui | Computer Virus Identifying Information Extraction System, Computer Virus Identifying Information Extraction Method, and Computer Virus Identifying Information Extraction Program |
US8904529B2 (en) * | 2005-09-07 | 2014-12-02 | International Business Machines Corporation | Automated deployment of protection agents to devices connected to a computer network |
US20070056020A1 (en) * | 2005-09-07 | 2007-03-08 | Internet Security Systems, Inc. | Automated deployment of protection agents to devices connected to a distributed computer network |
US9325725B2 (en) | 2005-09-07 | 2016-04-26 | International Business Machines Corporation | Automated deployment of protection agents to devices connected to a distributed computer network |
US20090007219A1 (en) * | 2007-06-28 | 2009-01-01 | Microsoft Corporation | Determining a merged security policy for a computer system |
US8443433B2 (en) | 2007-06-28 | 2013-05-14 | Microsoft Corporation | Determining a merged security policy for a computer system |
US20090228973A1 (en) * | 2008-03-06 | 2009-09-10 | Chendil Kumar | Techniques for automatic discovery and update of client environmental information in a virtual private network (vpn) |
US8209740B1 (en) * | 2011-06-28 | 2012-06-26 | Kaspersky Lab Zao | System and method for controlling access to network resources |
AU2012304788B2 (en) * | 2011-09-07 | 2016-12-08 | Microsoft Technology Licensing, Llc | Content handling for applications |
US10445528B2 (en) * | 2011-09-07 | 2019-10-15 | Microsoft Technology Licensing, Llc | Content handling for applications |
US20130074160A1 (en) * | 2011-09-15 | 2013-03-21 | Fujitsu Limited | Method of controlling information processing system, computer-readable recording medium storing program for controlling apparatus |
US8904492B2 (en) * | 2011-09-15 | 2014-12-02 | Fujitsu Limited | Method of controlling information processing system, computer-readable recording medium storing program for controlling apparatus |
US9710641B2 (en) | 2014-12-12 | 2017-07-18 | Arp-Ip Llc | System and method for replacing common identifying data |
US10204217B2 (en) | 2014-12-12 | 2019-02-12 | Arp-Ip Llc | System and method for replacing common identifying data |
Also Published As
Publication number | Publication date |
---|---|
US20020199115A1 (en) | 2002-12-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7047562B2 (en) | Conditioning of the execution of an executable program upon satisfaction of criteria | |
US9906534B2 (en) | Remote access to resources over a network | |
US9781114B2 (en) | Computer security system | |
JP5067771B2 (en) | Secure network file access control system | |
US6189100B1 (en) | Ensuring the integrity of remote boot client data | |
CN100437530C (en) | Method and system for providing secure access to private networks with client redirection | |
US7827590B2 (en) | Controlling access to a set of resources in a network | |
US7024695B1 (en) | Method and apparatus for secure remote system management | |
US10356612B2 (en) | Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access | |
US20050131997A1 (en) | System and methods for providing network quarantine | |
US7343599B2 (en) | Network-based patching machine | |
US20070124803A1 (en) | Method and apparatus for rating a compliance level of a computer connecting to a network | |
KR20060047551A (en) | System and methods for providing network quarantine | |
US20110023109A1 (en) | Network Firewall Host Application Identification and Authentication | |
US20030177387A1 (en) | Secured web entry server | |
US8321538B2 (en) | Autonomous network device configuration method | |
WO2005079467A2 (en) | Secure, real-time application execution control system and methods | |
WO2006012014A2 (en) | Security protection apparatus and methods for endpoint computing systems | |
US8813197B2 (en) | Techniques for network process identity enablement | |
US20230006988A1 (en) | Method for selectively executing a container, and network arrangement | |
Reinhardt | An architectural overview of UNIX network security | |
US20040019806A1 (en) | Securing a remote command call using a security protocol | |
JP2005202970A (en) | Security system and security method for firewall, and computer program product | |
WO2009005698A1 (en) | Computer security system | |
JP3808663B2 (en) | Computer network system and access control method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: LOCKHEED MARTIN CORPORATION, MARYLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PETERSON, ATLEY PADGETT;GAO, XIANG;REEL/FRAME:011956/0520;SIGNING DATES FROM 20010620 TO 20010621 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
FPAY | Fee payment |
Year of fee payment: 8 |
|
AS | Assignment |
Owner name: ABACUS INNOVATIONS TECHNOLOGY, INC., MARYLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LOCKHEED MARTIN CORPORATION;REEL/FRAME:039765/0714 Effective date: 20160816 |
|
AS | Assignment |
Owner name: LEIDOS INNOVATIONS TECHNOLOGY, INC., MARYLAND Free format text: CHANGE OF NAME;ASSIGNOR:ABACUS INNOVATIONS TECHNOLOGY, INC.;REEL/FRAME:039808/0977 Effective date: 20160816 |
|
AS | Assignment |
Owner name: CITIBANK, N.A., DELAWARE Free format text: SECURITY INTEREST;ASSIGNORS:VAREC, INC.;REVEAL IMAGING TECHNOLOGIES, INC.;ABACUS INNOVATIONS TECHNOLOGY, INC.;AND OTHERS;REEL/FRAME:039809/0603 Effective date: 20160816 Owner name: CITIBANK, N.A., DELAWARE Free format text: SECURITY INTEREST;ASSIGNORS:VAREC, INC.;REVEAL IMAGING TECHNOLOGIES, INC.;ABACUS INNOVATIONS TECHNOLOGY, INC.;AND OTHERS;REEL/FRAME:039809/0634 Effective date: 20160816 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553) Year of fee payment: 12 |
|
AS | Assignment |
Owner name: REVEAL IMAGING TECHNOLOGY, INC., VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:051855/0222 Effective date: 20200117 Owner name: SYTEX, INC., VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:051855/0222 Effective date: 20200117 Owner name: SYSTEMS MADE SIMPLE, INC., NEW YORK Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:051855/0222 Effective date: 20200117 Owner name: LEIDOS INNOVATIONS TECHNOLOGY, INC. (F/K/A ABACUS INNOVATIONS TECHNOLOGY, INC.), VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:051855/0222 Effective date: 20200117 Owner name: QTC MANAGEMENT, INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:051855/0222 Effective date: 20200117 Owner name: VAREC, INC., VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:051855/0222 Effective date: 20200117 Owner name: OAO CORPORATION, VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:051855/0222 Effective date: 20200117 Owner name: REVEAL IMAGING TECHNOLOGY, INC., VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:052316/0390 Effective date: 20200117 Owner name: OAO CORPORATION, VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:052316/0390 Effective date: 20200117 Owner name: VAREC, INC., VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:052316/0390 Effective date: 20200117 Owner name: SYSTEMS MADE SIMPLE, INC., NEW YORK Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:052316/0390 Effective date: 20200117 Owner name: LEIDOS INNOVATIONS TECHNOLOGY, INC. (F/K/A ABACUS INNOVATIONS TECHNOLOGY, INC.), VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:052316/0390 Effective date: 20200117 Owner name: SYTEX, INC., VIRGINIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:052316/0390 Effective date: 20200117 Owner name: QTC MANAGEMENT, INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:052316/0390 Effective date: 20200117 |